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SPECIFICATION 

1 0 CRYPTOGRAPHY PRIVATE KEY STORAGE AND RECOVERY METHOD AND 

APPARATUS 
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S BACKGROUND OF THE INVENTION 



fj] 1. Field of the Invention 

2j The present invention relates generally to cryptography systems. More 

5 particularly, the present invention relates to an apparatus and method for storing and 
recovering the private key in a public-key/private-key cryptography system. 



25 2. The Prior Art 

The RS A (Rivest, Shamir, and Adelman) scheme is a popular form of 
public-key cryptography. The RSA scheme uses: a public key, consisting of a public 
modulus n and a public exponent e; and a private key, consisting of the modulus n and a 
private exponent d. The public modulus n is an integer that is the product of two distinct 

30 prime factors p and q, i.e., n = pq. The factors are secret information and not disclosed 
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by the holder of the private key. The public exponent e is an integer that is relatively 
prime to the values (p - 1) and (q - 1). The private exponent d is an integer such that ed 
mod (p - 1) = ed mod (q - 1) = 1. 

One application of the RSA scheme is to encrypt messages. Any party can use the 
5 public key to encrypt a message that can only be decrypted by the holder of the private 
key. Let m be the message to be encrypted, where m is an integer in the range 0 < m < n. 
The encrypted message c is computed as c = m e mod n. To decrypt the encrypted 
message, the holder of the private key computes m = c d mod n. For instance, party A 
S wishing to send an encrypted message to party B would encrypt the message by obtaining 
f$ party B ' s public key. Since the message can only be decrypted with the correct party B 
rij private key that will be associated with the party B public key, only party B is able to 
L decrypt the message. 

m Another application of the RSA scheme is to sign messages. The holder of the 

O private key can apply a signature to a message that can be verified by any party using the 
1 5 public key. Let m be the message to be signed, where m is an integer in the range of 0 < 
m < n. The signature s is computed as s = m d mod n. To verify the signature, any party 
uses the public key to compute m' = s e mod n. If the value of m' matches the value of m, 
the signature is valid. 

The security of the RSA scheme rests on the presumed difficulty of determining 
20 the factors of the public modulus. That is, given n, it is believed to be very difficult to 
determine the factors p and q such that n = pq. The difficulty of the factoring problem 
increases as the size of p and q increases. In a practical implementation, p and q each 
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consist of hundreds or thousands of binary digits (bits); since n is the product of p and q, 
it, too, consists of hundreds or thousands of bits. 

The modular exponentiation operation used in RSA is a computationally 
expensive operation. The complexity of the operation increases approximately linearly 
5 with the number of bits in the exponent and quadratically with the number of bits in the 
modulus. Fortunately, there are some well-known methods that reduce the computational 
expense. 

To reduce the expense of the public-key operation, it is common to pick the public 
3 exponent to be a small number. This is acceptable because the security of the RSA 
$ scheme is largely independent of the size of the public exponent. A popular choice for 
£j the public exponent is e = 2 16 + 1 ; this value appears to be emerging as a defacto standard 
L for new applications. Other common choices are e = 3 and e = 17. With a small public 
fli exponent, the computational expense of the RSA public-key operation is relatively small. 
O In other words, it is relatively inexpensive to encrypt a message or verify a signature. 
1 5 Unfortunately, the private exponent d cannot be picked small. Its value cannot be 

freely chosen; it must satisfy the condition that ed mod (p - 1) = ed mod (q - 1) = 1 . The 
security of the RSA scheme rests on p and q being large and arbitrarily selected. As a 
result, d is an integer of a size comparable to that of the public modulus n. This makes 
the expense of the private-key operation relatively high. In other words, it is relatively 
20 expensive to decrypt a message or create a signature. 
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The expense of private-key operation can be reduced by using the Chinese 
Remainder Theorem (CRT). The CRT requires the computation of several quantities, as 
follows: 

d p = d mod (p- 1); 
d q = d mod (q-1); 
v such that pv mod q = 1. 

Then, the private-key operation y = g d mod n is computed as: 

a = (g mod p) dp mod p; 
b = (g mod q)^ mod q; 
y = a + [(b - a)v mod q]p. 

If the expense of computing dp, d q , and v is neglected, the computational expense 
of the private-key operation using the CRT is about one-fourth that of the private-key 
operation not using the CRT. This is a large reduction in computational expense, and it 
makes the CRT desirable for many applications. 

Unfortunately, the expense of computing dp, d q , and v is not necessarily negligible. 
Accordingly, many applications simply precompute the values of dp, d q , and v and store 
them along with the factors p and q as part of the private key. An application that stores 
the parameter set {p, q, dp, d q , v} can perform the private-key operation using the CRT 
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with the least possible computational expense. Each of the five parameters requires b bits 
of storage, where b is the number of bits in a prime factor of the modulus. Thus, the total 
storage for the private key is 5b bits. 

In some applications, however, storing the private key as {p, q, dp, d q , v} is not 
5 desirable because of the amount of storage space required. If the application instead 
stores the private key as {p, q}, the private-key storage space is reduced from 5b bits to 
2b bits, a reduction by a factor of 2.5. However, the application must then compute dp, 
d q , and v each time it performs a private-key operation. This may be an undesirable 
computational expense. 

10 An example of an application where these issues are a concern is a low-cost smart 

card used to create digital signatures. The card stores a set of RSA private keys, with 

s each key used to create signatures for a different purpose. For example, one key might be 

O 

^ used to sign purchases made with a particular credit card; another key may be used to 
S sign electronic mail messages; another key might be used to sign bank transactions; and 
15 so on. Because of its low cost, the smart card has a limited amount of storage space. It is 
desirable for the card to store as many private keys as possible in the limited space. 
Furthermore, because of its low cost, the smart card has a simple processor with limited 
computing capability. Since it is undesirable for the signature computation to take an 
inordinate amount of time, it is important to minimize the computational expense of the 
20 RSA private-key operation. 

Another issue associated with computing dp, d q , and v is security. A common way 
to compute dp, d q , and v from p and q is to use Euclid's algorithm, or common variations 
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thereof. Euclid's algorithm is a sequence of arithmetic operations that can be used to 
solve the problem, "Given integers x and z, find y such that xy mod z = 1." The sequence 
of operations depends on the numerical values of the operands; that is, a change in the 
numerical values of y or z may cause a change in the order of arithmetic operations such 

5 as multiply, subtract, etc. Such dependency may make the private key stored within an 
application vulnerable to discovery by an attacker who cleverly chooses inputs to the 
application while measuring externally available responses such as electrical current 
draw, electromagnetic emissions, etc. Such attacks have been successfully carried out on 

l i actual security devices, both commercial and governmental. To reduce vulnerability to 

10 such attacks, it is desirable that the sequence of operations used to compute dp, d q , and v 

^ not change with the values of p and q. 

g * Continuing with the example of the low-cost smart card, the card includes an 

arithmetic coprocessor that accelerates the modular exponentiation operations used in 

S RSA. During private-key operations, the modular exponentiation is vulnerable to attacks 

15 of the type just described. To reduce vulnerability to such attacks, the coprocessor is 

carefully designed to ensure that its sequence of operations does not depend on the values 
of the operands. If, however, the smart card is also required to compute dp, d q , and v 
during an RSA private-key operation, then the computation of dp, d q , and v is an 
additional source of potential vulnerability. To reduce this added vulnerability, the 

20 computation of dp, d q , and v must use a sequence of operations that does not depend on 
the values of p and q. Since p and q are prime values, v may be computed using modular 
exponentiation via the operation v = p q ~ 2 mod q. Thus, the smart card may use the 
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coprocessor to compute v, eliminating any new vulnerability associated with computing 
v. However, it is not possible to compute dp and d q using modular exponentiation. Thus, 
some scheme is needed to compute dp and d q in a way that does not introduce a new 
vulnerability. 

5 Although the preceding discussion has focused on applications that use the CRT, 

not all applications do. Some applications perform the private-key operation without 
using the CRT, since that is a simpler (although more expensive) operation. In some 
such applications, storage space and security are still important issues. 

lj\ The most direct way to store the private key in a non-CRT application is to store 

1% the parameters {n, d}, where n is the public modulus and d the private exponent. Storing 

fl j the private key this way requires 4b bits. 

* Alternatively, in a non-CRT application, the private key could be stored simply as 

m {p> q}> where p and q are the prime factors of n. Each time a private-key operation is 

P performed, n and d are computed from the stored values of p and q. When stored in this 

O 

15 way, the private key requires 2b bits. This is a savings by a factor of 2 over storing the 
key as {n, d}. The computation of n from p and q is a single multiply operation, since n 
= pq. This is an inexpensive operation compared to modular exponentiation, and since it 
is a single operation, it introduces no new vulnerability of exposing p and q. However, as 
with dp and d q in the CRT case, the computation of d from p and q may be a significant 

20 computational expense, and it may introduce a security vulnerability due to a 
computational sequence that varies with the values of p and q. 
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Accordingly, it is an object of this invention to provide a parameterization of the 
RSA private key for CRT applications that uses less storage space than the full parameter 
set {p, q, dp, d q , v} and that provides better computational efficiency than the minimal 
parameter set {p, q}. 

5 It is also an object of this invention to provide a parameterization of the RSA 

private key for non-CRT applications that uses less storage space than the full parameter 
set {n, d} and that provides better computational efficiency than the minimal parameter 
set {p, q}. 

j| It is also an object of this invention to provide a means for computing the CRT 

W parameters dp and dq, and the non-CRT parameter d, in a manner such that the 

m computational sequence is independent of the values of the prime factors p and q, so as to 

' reduce vulnerability to attacks that exploit such dependence. 

O 

15 BRIEF DESCRIPTION OF THE INVENTION 

To overcome these and other shortcomings of the prior art, disclosed herein is an 
apparatus and method for providing a cryptography private key storage and recovery 
scheme that both lessens space requirements and enhances security. More particularly, 
20 the system of the present invention provides a means for deriving the private key from 
stored parameters not previously employed and provides a means for computing certain 
parameters while at the same time reducing security vulnerabilities. 
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One aspect of this invention is to replace the CRT parameters dp and d q , and the 
non-CRT parameter d, with smaller parameters k p , kq, and k, respectively. The values of 
k p , kq, and k are the values that satisfy the relationships: 

5 

k p (p- 1) mode = 1; 
k q (q- l)mode= 1; 
k(p-l)(q-l)mode=l. 

I© Each of kp, kg, and k has a value in the range of 1 to (e - 1), inclusive. Thus, each 

requires no more bits than the number of bits needed to store the public exponent e. In 
the popular case of e = 2 16 + 1, each of k p , kq, and k can be stored as a 16-bit value, (k p - 

H 1), (k q -1), or (k - 1), respectively. 

f J In contrast, dp and d q each require b bits of storage, and d requires 2b bits of 

15 storage, where b is the number of bits in a prime factor p or q. A typical value for b is 
512, corresponding to a public modulus having 1024 bits. In this typical case, dp and d q 
each require 32 times more storage space than k p and kq, and d requires 64 times more 
storage space than k. 

A CRT application that stores k p and k q can recover dp and d q by the following 
20 calculations: 



d p = [l + (p-l)(e-k p )]/e; 
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d q =[l + (q-D(e-k q )]/e. 

A non-CRT application that stores k can recover d by the following calculation: 

d=[l + (p-l)(q-l)(e-k)]/e. 

In each of these calculations, "/" represents integer division; in each case, the dividend is 
a multiple of the divisor, so there is no remainder. A proof that these calculations yield 
the correct results is given at the end of this summary. 

These calculations for dp, d q , and d require the application to perform division by 
the public exponent e. In some applications, division may be an awkward or undesirable 
operation. Furthermore, if an application implements the division using the usual long- 
division sequence of operations, the sequence of operations may depend on the values of 
p and q, making the private key vulnerable to attacks that exploit such dependence. 

To avoid the need for division, a CRT application can recover dp and d q using the 
following calculations: 

compute u such that ue mod 2 b = 1 ; 
d p =[l + (p-l)(e-k p )]umod2 b ; 
d q =[l + (q-l)(e-k q )]umod2 b . 
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A non-CRT application can recover d without using division via the following 
calculation: 

compute t such that te mod 2 2b = 1 ; 
d = [1 + (p - l)(q - l)(e - k)]t mod 2 2b . 

A proof that these calculations yield the correct results is given at the end of this 
summary. 

Ignoring for the moment the computation of u and t, it is clear that these 
calculations for the recovery of dp, d q , or d are computationally inexpensive and introduce 
no security vulnerability. Each calculation consists of two or three integer 
multiplications, three or four integer additions/subtractions, and a "mod 2 b " or "mod 2 2b " 
operation. The multiplication, addition, and subtraction operations are similar to the 
operations used to implement modular exponentiation. A single modular exponentiation 
uses thousands of such operations, so the added burden of a few more operations is 
negligible. The "mod 2 b " operation is simply truncation to b bits, and the "mod 2 2b " 
operation is truncation to 2b bits; these, too, are negligible. The sequence of operations 
does not depend on the values of p or q, so the calculation can be implemented without 
introducing new vulnerability to attacks that exploit such dependence. 

Turning now to the computation of u and t, it is easy to see there is no security 
issue; the computation does not involve the private key, so it introduces no potential for 
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attack on the private key regardless of how it is implemented. It is also true that the 
computation is inexpensive, as follows. 

First, consider the case where the public exponent e is the same for all private 
keys. In this case, u or t is a fixed value, so it can simply be stored once for all private 
5 keys and retrieved as needed. Even if the private keys of interest are of different lengths, 
that is, the value of b varies according to the private key, only one value for u or t needs 
to be stored, that value being the one that corresponds to the largest value of b. For 
values of b other than the maximum value, the stored value can simply be truncated using 
aj "mod 2 b " for u or "mod 2 2b " for t. In the popular case where e = 2 16 + 1 , it is not even 
||) necessary to store u or t; either can be generated using the inexpensive calculations: 

;~ u = [1 + (2 32 - 2 16 ) + C2 64 - 2 48 ) + (2 96 - 2 80 ) + (2 128 - 2 112 ) + . . . ] mod 2 b ; 

Jjj t = [1 + (2 32 - 2 16 ) + (2 s4 - 2 48 ) + (2 96 - 2 80 ) + (2 128 - 2 112 ) + . . . ] mod 2 2b . 

15 For other common choices of e such as e = 3 or e = 17, a similar calculation can be 
derived. 

Second, consider the general case where the public exponent e is different and 
arbitrary for each private key. In this case, the application must calculate u or t using a 
general-purpose algorithm that computes the multiplicative inverse of a number with 
20 respect to a modulus that is a power of 2 (such as 2 b or 2 2b ). Such algorithms are well- 
known and computationally inexpensive. In many applications, such an algorithm is 
already implemented as part of the modular exponentiation operation; in particular, many 

12 



ATMSP-001 

applications that use Montgomery multiplication, which is a popular means for 
implementing modular exponentiation, include such an algorithm. Compared to the 
expense of the modular exponentiation operation, the computational expense of executing 
such an the algorithm is usually small. 

The discussion here has focused on the case where the public modulus n is the 
product of two primes, p and q. This is the usual situation in the RSA scheme. However, 
the RSA scheme can be generalized to a modulus that is the product of j primes, where j 
is an integer, j > 2. Such a generalization is described in U.S. Patent No. 5,848,159. The 
invention here applies to the generalized scheme. For example, consider a CRT 
application with prime factors p„ p 2 , . . ., Pj. There are j instances of the private exponent 
d, defined by dj = d mod (pi - 1) for i = 1, 2, . . ., j. To apply the invention, each dj is 
replaced by kj when the key is stored, where kj is the value such that ki(pj - 1) mod e = 1. 
To recover dj from k i5 calculate dj = [1 + (pj - l)(e - kj)] / e or dj = [1 + (pj - l)(e - kj)]Uj 
mod 2 bi , where bj is an integer such that p { < 2* and Ui is the value that satisfies euj mod 
2 bi =l. 

Proof of the formulas for d^. d fl . and d. First it is proved that the formula 
d p = [l + (p-l)(e-k p )]/e (1) 
yields the correct value for dp by showing that edp mod (p - 1) = 1. 
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Let a = 1 + (p - l)(e - k p ). First we need to show that a is a multiple of e, so that 
the division operation in (1) yields an integer value. By definition, k p (p - 1) mod e = 1. 
Thus, kp(p - 1) - 1 is a multiple of e. Since a = e(p - 1) - [k p (p - 1) - 1], it follows that a 
is a multiple of e. 

Now let dp be as in (1). Then edp mod (p - 1) = a mod (p - 1) = 1. This proves 
formula (1). 

Next we prove that the formula 

dp = [1 + (p - l)(e - k p )]u mod 2 b (2) 

yields the correct value for dp by showing that edp mod (p - 1) = 1 . 

Again let a = 1 + (p - l)(e - k p ). It was previously shown that a is a multiple of e, 
so we can write a = ce, where c is an integer. Since 0 < (p - 1) < 2 b and 0 < (e - k p ) < e, it 
follows that 0 < a < e2 b , hence 0 < c < 2 b . Now let dp be as in (2). Then: 

edp mod (p - 1) 

= e[au mod 2 b ] mod (p - 1) 

= e[cue mod 2 b ] mod (p - 1) 

= e[c mod 2 b ] mod (p - 1) 

= ec mod (p - 1) 

= a mod (p - 1) 

= 1. 
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This proves formula (2). 



The proofs for formulas 



d^tl + Cq-lXe-igi/e 



(3) 



d q = [1 + (q - l)(e - kq)]u mod 2 b 



(4) 



are identical to those for formulas (1) and (2), with: d q replacing dp; k q replacing k p ; and 
q replacing p. 

The proofs for formulas 



d=[l + (p-l)(q-l)(e-k)]tmod2 2b (6) 

are similar to those for (1) and (2). The arguments for (5) and (6) are identical to those 
for (1) and (2), respectively, with: d replacing dp; k replacing k p ; (p - l)(q - 1) replacing 
(p - 1); and 2 2b replacing 2 b . The conclusion of the argument in each case is that ed mod 
(p - l)(q - 1) = 1. From this it follows that ed mod (p - 1) = ed mod (q - 1) = 1. 

Viewed from a first vantage point a cryptosystem private key recovery device is 
disclosed, comprising in combination, a processor, a nonvolatile memory space 
operatively coupled to said processor, and a set of private key parameters stored in said 



d = [l + (p-l)(q-l)(e 



k)]/e 



(5) 
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nonvolatile memory space utilizing less storage space than the full parameter set {p ,q ,dp 
,d q , v} and providing better computational efficiency than the minimal parameter set {p, 
q), wherein the private key can be recovered from said set of stored private key 
parameters. 

5 

Viewed from another vantage point a method for recovering a private key is 
disclosed, comprising in combination, storing private key parameters in a memory space, 
utilizing less storage space for said private key parameters than the full parameter set {n, 
% d}, and providing better computational efficiency than the minimal parameter set {p, q}. 

10 

f| BRIEF DESCRIPTION OF THE DRAWING FIGURES 

^ FIG. 1 is a schematic diagram of the cryptosystem environment of the present 

p- s invention. 

15 

FIG. 2 is a flowchart of a first exemplary implementation of the present invention. 

FIG. 3 is a flowchart of a second exemplary implementation of the present 
invention. 

20 

FIG. 4 is a flowchart of a third exemplary implementation of the present invention. 
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FIG. 5 is a flowchart of a fourth exemplary implementation of the present 
invention. 

FIG. 6 is a flowchart of a fifth exemplary implementation of the present invention. 

FIG. 7 is a flowchart of a sixth exemplary implementation of the present 
invention. 

FIG. 8 is a is a flowchart of a seventh exemplary implementation of the present 
invention. 

DETAILED DESCRIPTION OF THE INVENTION 

Persons of ordinary skill in the art will realize that the following description of the 
present invention is illustrative only and not in any way limiting. Other embodiments of 
the invention will readily suggest themselves to such skilled persons having the benefit of 
this disclosure. 

Fig. 1 illustrates a cryptosystem 10 capable of taking advantage of the invention. 
The cryptosystem 10 signs and decrypts messages provided to it via an I/O port 12. The 
cryptosystem 10 uses the RSA scheme to perform the signing and decrypting. The 
cryptosystem 10 has a processor 14 that controls all operations of the cryptosystem 10. 
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The cryptosystem 10 has an arithmetic coprocessor (ACP) 16 that facilitates the 
computations used in the RSA scheme when signing and decrypting. The private key 
used to perform the signing and decrypting is stored in nonvolatile storage 18 within the 
crytposystem 10. 

The cryptosystem 10 is capable of storing a collection of private keys in the 
nonvolatile storage 18 and selecting a private key to be used for a particular signing or 
decryption, according to commands given to it via the I/O port 12. The crytposystem 10 
is capable of computing the public key that corresponds to any private key stored in the 
nonvolatile storage 18 and transmitting the public key to an external device 20 via the I/O 
port 12. 

The cryptosystem 10 is capable of generating private keys and storing them in the 
nonvolatile storage 18. When generating a private key, the cryptosystem uses a random 
number generator (RNG) 22 to ensure that the prime factors p and q of the private key are 
arbitrarily picked. The RNG 22 provides a random seed that is applied to an algorithm 
that generates p and q. When storing the private key, the cryptosystem 10 may store the 
seed instead of storing p and q, recovering the values of p and q by applying the 
algorithm to the seed each time the private key is used to sign or decrypt. 

The crytposystem 10 is also capable of accepting private keys provided to it by 
external devices 20 via the I/O port 12 and storing the private keys in the nonvolatile 
storage 18. An externally provided private key may itself be encrypted by the external 
device using the public key that corresponds to one of the private keys already present in 
the nonvolatile storage 18 of the cryptosystem 10. In such a case, the cryptosystem 10 
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decrypts the encrypted private key using the private key already in nonvolatile storage 18, 
then stores the decrypted private key in nonvolatile storage 18. 

Regardless of whether a private key is generated by the cryptosystem 10 or 
provided by an external device 20, the cryptosystem 10 is capable of using the invention 
to reduce the amount of nonvolatile storage 18 needed to store the private key, and to 
recover the private key quickly and without introducing security vulnerabilities. The 
crytposystem 10 has many related variations of how the invention can be applied to trade 
off storage space versus recovery speed. 

In a first example, and referring now to Figure 2, initially store the private key 
parameters as {p, q, k p , k q , v} where: p and q are the prime factors of the public modulus; 
v is the value satisfying pv mod q = 1 ; k p is the value satisfying k p (p - 1) mod e = 1 , 
where e is the public exponent; and kq is the value satisfying kq(q - 1) mod e = 1. To 
recover the private key in the usual CRT form of {p, q, dp, d q , v}, where dp = d mod (p - 
1), d q = d mod (q - 1), and d is the private exponent, calculate dp = [1 + (p - l)(e - k p )] u 
mod 2 b , d q = [1 + (q - l)(e - k q )] u mod 2 b , where b is an integer such that p < 2 b and q < 
2 b , and u is the value satisfying ue mod 2 b = 1. 

In a second example, and referring now to Figure 3, initially store the private key 
parameters as {p, q, k p , k q }, where p, q, k p , and k q are as in the first example. To recover 
the private key, first compute the value v satisfying pv mod q = 1 . Then proceed using 
{p, q, k p , k q , v} as in the first example. 



19 



ATMSP-001 

In a third example, and referring now to Figure 4, initially store the private key 
parameters as {seed, kp, k q , v}, where: seed is the input to the algorithm that generates the 
prime factors p and q of the public modulus; and k p , kq, and v are as in the first example. 
To recover the private key, first apply the algorithm to the seed to recover the values of p 
5 and q. Then, proceed using {p, q, k p , k q , v} as in the first example. Numerous seed 

algorithms are known in the art. See for example algorithms that generate prime numbers 
from a random seed, at Appendix 2 of [FIPS186] U.S. Department of 
Commerce/National Institute of Standards and Technology, "Digital Signature Standard 

CI (DSS)," FTPS PUB 186-2, January 27, 2000. 

§ 

§. 111 a fourth exam P le > 311(1 referring now to Figure 5, initially store the private key 
y parameters as {seed, k p , k q } where: seed, k p and k q are as in the third example. To 
q recover the private key, first apply the algorithm to the seed to recover the values of p and 
Oj q. Then proceed using {p, q, k p , k q } as in the second example. 

fi 

In an alternate embodiment, initially store the private key parameters using any of the 
formats described in the previous four examples. When recovering the private key, 
instead of using the calculations for dp and d q described in the previous examples, 
calculate d, = [1 + (p - l)( e - k,)] / e and d q = [1 + (q - l)(e - k q )] /e. Also, as another 
20 alternative in the preceding examples,' instead of storing kp and kq, k p and k q could be 
calculated from p, q, and e. Each could be computed using Euclid's algorithm, or a 
common variation thereof, although this may introduce a security vulnerability because 
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the sequence of operations depends on p and q. Alternatively, in the case that e is prime, 
as with the popular value e = 2 16 + 1, each can be computed using modular 
exponentiation, using the formulas k p = (p-l) 6 " 2 mod e and kq = (q-l) e 2 mod e; this can be 
done without introducing a security vulnerability because the sequence of operations can 
be made independent of p and q. Since e is a small number, computational expense of 
computing k p and kq is often negligible compared to the computational expense of the 
RSA private-key operation. 

In a fifth example, and referring now to Figure 6, initially store the private key 
parameters as {p, q, k} where: p and q are the prime factors of the public modulus; and k 
is the value satisfying k(p - l)(q - 1) mod e = 1, where e is the public exponent. To 
recover the private key in the usual non-CRT form of {n, d}, where n is the public 
modulus and d the private exponent, calculate n = pq and d = [1 + (p - l)(q - l)]t mod 
2 2b , where b is an integer such that p < 2 b and q < 2 b , and t is the value satisfying te mod 
2 2b =l. 

In a sixth example, and referring now to Figure 7, initially store the private key 
parameters using the format in the fifth example. When recovering the private key, 
instead of using the calculation for d described in the fifth example, calculate d = [1 + (p 
-l)(q-l)]/e. 
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In a seventh example, and referring now to Figure 8, initially store the private key 
parameters using the format in the fifth example. When recovering the private key, first 
compute the private exponent d using the calculation in either of the prior two (fifth or 
sixth) examples. Then, to recover the private key in the usual CRT form of {p, q, dp, d q , 
v}, calculate dp = d mod (p - 1) and d q = d mod (q - 1), and compute the value v 
satisfying pv mod q = 1. 

While embodiments and applications of this invention have been shown and 
described, it would be apparent to those skilled in the art that many more modifications 
than mentioned above are possible without departing from the inventive concepts herein. 
The invention, therefore, is not to be restricted except in the spirit of the appended claims. 
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What is claimed is: 

1 . A cryptosystem private key recovery device, comprising in combination: 
a processor; 

a nonvolatile memory space operatively coupled to said processor; and 
a set of private key parameters stored in said nonvolatile memory space utilizing 
less storage space than the full parameter set {p ,q ,dp ,d q , v} and providing better 
computational efficiency than the minimal parameter set {p, q}, wherein the private key 
can be recovered from said set of stored private key parameters. 

2. The cryptosystem private key recovery device of claim 1 further comprising said 
set of private key parameters defined by the parameters {p ,q ,k p ,k q , v} wherein p and q 
are given prime factors of a public modulus, k p and k„ are derived from k p (p-1) mod e=l 
and k q (q-1) mod e=l, e is a given public exponent and v is derived from pv mod q=l. 

3. The cryptosystem private key recovery device of claim 2 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from djHXp-lXe-kp^u mod 2 b ; 

a d q calculator in active cooperation with said processor and configured to 
calculate d q from d q =[l+(q-l)(e-kq)]u mod 2 b ; and 

wherein b is an integer such that p is less than 2 b and q is less than 2 b , and ue mod 

2 b =l. 
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4. The cryptosystem private key recovery device of claim 3 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,d q , 
v} from said stored and calculated values. 

5. The cryptosystem private key recovery device of claim 2 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from dp=[l+(p-l)(e-k p )]/e; and 

a d q calculator in active cooperation with said processor and configured to 
calculate dq from d q =[l+(q-l)(e-kq)]/e. 

6. The cryptosystem private key recovery device of claim 5 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,dq , 
v} from said stored and calculated values. 

7. The cryptosystem private key recovery device of claim 1 further comprising said 
set of private key parameters defined by the parameters {p ,q ,k p ,kj wherein p and q are 
given prime factors of a public modulus, kp and k q are derived from k p (p-1) mod e=l and 
k q (q-1) mod e=l, and e is a given public exponent. 
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8. The ciyptosystem private key recovery device of claim 7 further comprising a v 
calculator in active cooperation with said processor and configured to calculate v from pv 
mod q=l. 

9. The cryptosystem private key recovery device of claim 8 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from dp=[l+(p-l)(e-k p )]u mod 2 b ; 

a dq calculator in active cooperation with said processor and configured to 
calculate d q from d^fl-Kq-lXe-k^u mod 2 b ; and 

wherein b is an integer such that p is less than 2 b and q is less than 2 b , and ue mod 2 b =1. 

10. The cryptosystem private key recovery device of claim 9 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,d q , 
v} from said stored and calculated values. 

11. The cryptosystem private key recovery device of claim 8 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from dp=[l+(p-lXe-k p )]/e; and 

a d q calculator in active cooperation with said processor and configured to 
calculate dq from d^l+Cq-lXe-kq^/e. 
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12. The cryptosystem private key recovery device of claim 10 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,d q ? 
v} from said stored and calculated values. 

13. The cryptosystem private key recovery device of claim 1 further comprising said 
set of private key parameters defined by the parameters {seed, k p ,k q , v} wherein k p and 
k q are derived from k p (p-1) mod e=l and k q (q-1) mod e=l, e is a given public exponent, 
v is derived from pv mod q=l , and seed is a value derived from a random number 
generator. 

14. The cryptosystem private key recovery device of claim 13 further comprising: 

a p calculator in active cooperation with said processor and configured to calculate 
p from said seed; and 

a q calculator in active cooperation with said processor and configured to calculate 
q from said seed. 

15. The cryptosystem private key recovery device of claim 14 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from dp=[l-h(p-l)(e-k p )]u mod 2 b ; 

a d q calculator in active cooperation with said processor and configured to 
calculate d q from d q =[l+(q-l)(e-k q )]u mod 2 b ; and 
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wherein b is an integer such that p is less than 2 and q is less than 2 , and ue mod 2 =1. 

16. The cryptosystem private key recovery device of claim 15 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ? dp ,d q > 
v} from said stored and calculated values. 

17. The cryptosystem private key recovery device of claim 14 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from dp=[l+(p-l)(e-k p )]/e; and 

a d q calculator in active cooperation with said processor and configured to 
calculate d q from d q =[l+(q-l)(e-k q )]/e. 

18. The cryptosystem private key recovery device of claim 17 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,d q , 
v} from said stored and calculated values. 

19. The cryptosystem private key recovery device of claim 1 further comprising said 
set of private key parameters defined by the parameters {seed, k p ,k q } wherein k p and k q 
are derived from k p (p-1) mod e=l and k q (q-1) mod e=l, e is a given public exponent, 
and seed is a value derived from a random number generator. 
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20. The cryptosystem private key recovery device of claim 19 further comprising: 

a p calculator in active cooperation with said processor and capable of calculating 
p from said seed; and 

a q calculator in active cooperation with said processor and capable of calculating 
q from said seed. 

21 . The cryptosystem private key recovery device of claim 20 further comprising a v 
calculator in active cooperation with said processor and configured to calculate v from pv 
mod q=l. 

22. The cryptosystem private key recovery device of claim 2 1 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from dp=[l+(p-l)(e-kp)]u mod 2 b ; 

a dq calculator in active cooperation with said processor and configured to 
calculate d q from d q =[l+(q-l)(e-kq)]u mod 2 b ; and 

wherein b is an integer such that p is less than 2 b and q is less than 2 b , and ue mod 2 b =1. 

23 . The cryptosystem private key recovery device of claim 22 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,d q , 
v} from said stored and calculated values. 
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24. The cryptosystem private key recovery device of claim 21 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from dp=[l+(p-l)(e-k p )]/e; and 

a d q calculator in active cooperation with said processor and configured to 
calculate d q from d q =[l+(q-l)(e-k q )]/e. 

25. The cryptosystem private key recovery device of claim 24 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,d q , 
v} from said stored and calculated values. 

26. The cryptosystem private key recovery device of claim 1 further comprising said 
set of private key parameters defined by the parameters {p ,q ,v} wherein p and q are 
given prime factors of a public modulus, and v is derived from pv mod q=l. 

27. The cryptosystem private key recovery device of claim 26 further comprising: 
a k p calculator in active cooperation with said processor and configured to 

calculate k p from k p (p-1) mod e=l; 

a kq calculator in active cooperation with said processor and configured to 
calculate k q from kg (q-1) mod e=l ; and 

wherein e is a given public exponent. 
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28. The ciyptosystem private key recovery device of claim 27 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from dp=[l+(p-l)(e-k p )]u mod 2 b ; 

a d q calculator in active cooperation with said processor and configured to 
calculate d q from d^fl+Cq-lXe-k^u mod 2 b ; and 

wherein b is an integer such that p is less than 2 b and q is less than 2 b , and ue mod 

2 b =l. 

29. The cryptosystem private key recovery device of claim 28 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp .d, , 
v} from said stored and calculated values. 

30. The cryptosystem private key recovery device of claim 27 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from dp=[l+(p-l)(e-k p )]/e; and 

a d q calculator in active cooperation with said processor and configured to 
calculate dq from d q =[l+(q-l)(e-kq)]/e. 

31. The cryptosystem private key recovery device of claim 30 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,d q , 
v} from said stored and calculated values. 
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32. The cryptosystem private key recovery device of claim 1 further comprising said 
set of private key parameters defined by the parameters {p ,q} wherein p and q are given 
prime factors of a public modulus. 

5 

33. The cryptosystem private key recovery device of claim 32 further comprising: 
a k p calculator in active cooperation with said processor and configured to 

calculate k p from k p (p-1) mod e=l; 

a k q calculator in active cooperation with said processor and configured to 
|f) calculate k q from k q (q- 1 ) mod e= 1 ; and 
~t wherein e is a given public exponent. 

HI 

"2\ 34. The cryptosystem private key recovery device of claim 33 further comprising a v 
X calculator in active cooperation with said processor and configured to calculate v from pv 
15 mod q=l. 

35. The cryptosystem private key recovery device of claim 34 ftirther comprising: 

a dp calculator in active cooperation with said processor and configured to 
calculate dp from dp=[l+(p-l)(e-k p )]u mod 2 b ; 
20 a d q calculator in active cooperation with said processor and configured to 

calculate d q from d q =[l+(q-l)(e-k q )]u mod 2 b ; and 
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wherein b is an integer such that p is less than 2 b and q is less than 2 b , and ue mod 2 b =1 . 

36. The cryptosystem private key recovery device of claim 35 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,d q , 
v} from said stored and calculated values. 

37. The cryptosystem private key recovery device of claim 34 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from dp=[l+(p-l)(e-k p )]/e; and 

a d q calculator in active cooperation with said processor and configured to 
calculate d q from d q =[l+(q-l)(e-kq)]/e. 

38. The cryptosystem private key recovery device of claim 37 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,d q , 
v} from said stored and calculated values. 

39. The cryptosystem private key recovery device of claim 1 further comprising said 
set of private key parameters defined by the parameters {seed, v} wherein v is derived 
from pv mod q=l ? and seed is a value derived from a random number generator. 

40. The cryptosystem private key recovery device of claim 39 further comprising: 
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a p calculator in active cooperation with said processor and configured to calculate 
p from said seed; and 

a q calculator in active cooperation with said processor and configured to calculate 
q from said seed. 

41. The cryptosystem private key recovery device of claim 40 further comprising: 
a k p calculator in active cooperation with said processor and configured to 

calculate k p from k p (p-1) mod e=l; 

a kq calculator in active cooperation with said processor and configured to 
calculate k q from kg (q-1) mod e=l ; and 

wherein e is a given public exponent. 

42. The cryptosystem private key recovery device of claim 41 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from dp=[l+(p-l)(e-k p )]u mod 2 b ; 

a d q calculator in active cooperation with said processor and configured to 
calculate d q from d q =[l+(q-l)(e-k q )]u mod 2 b ; and 

wherein b is an integer such that p is less than 2 b and q is less than 2 b , and ue mod 2 b =1 . 
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43. The cryptosystem private key recovery device of claim 42 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,d q , 
v} from said stored and calculated values. 

44. The cryptosystem private key recovery device of claim 41 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from dp=[l+(p-l)(e-k p )]/e; and 

a d q calculator in active cooperation with said processor and configured to 
calculate d q from d q =[l+(q-l)(e-k q )]/e. 

45. The cryptosystem private key recovery device of claim 44 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,d q , 
v} from said stored and calculated values. 

46. The cryptosystem private key recovery device of claim 1 further comprising said 
set of private key parameters defined by the parameters {seed,} wherein seed is a value 
derived from a random number generator. 

47. The cryptosystem private key recovery device of claim 46 further comprising: 

a p calculator in active cooperation with said processor and capable of calculating 
p from said seed; and 
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a q calculator in active cooperation with said processor and capable of calculating 
q from said seed. 

48. The cryptosystem private key recovery device of claim 47 further comprising: 
a k p calculator in active cooperation with said processor and configured to 

calculate k p from k p (p-1) mod e=l ; 

a k q calculator in active cooperation with said processor and configured to 
calculate k q from kq (q-1) mod e=l; and 

wherein e is a given public exponent. 

49. The cryptosystem private key recovery device of claim 48 further comprising a v 
calculator in active cooperation with said processor and configured to calculate v from pv 
mod q=L 

50. The cryptosystem private key recovery device of claim 49 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from dp=[l+(p-l)(e-k p )]u mod 2 b ; 

a d q calculator in active cooperation with said processor and configured to 
calculate d q from d^l+Cq-lXe-k^Ju mod 2 b ; and 

wherein b is an integer such that p is less than 2 b and q is less than 2 b ? and ue mod 2 b =1 . 
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51. The cryptosystem private key recovery device of claim 50 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,d q > 
v} from said stored and calculated values. 

52. The cryptosystem private key recovery device of claim 49 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from d p = : [l+(p-l)(e-k p )]/e; and 

a d q calculator in active cooperation with said processor and configured to 
calculate d q from d q =[l+(q-l)(e-k q )]/e. 

53. The cryptosystem private key recovery device of claim 52 further comprising a 
private key parameter assembler for assembling the private key parameters {p >q ,dp ,d q , 
v} from said stored and calculated values. 

54. A cryptosystem private key recovery device, comprising in combination: 
a processor; 

a nonvolatile memory space operatively coupled to said processor; and 
a set of private key parameters stored in said nonvolatile memory space and 

utilizing less storage space than the full parameter set {n, d} and providing better 

computational efficiency than the minimal parameter set {p, q}. 
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55. The cryptosystem private key recovery device of claim 54 further comprising said 
set of private key parameters defined by the parameters {p, q, k } wherein p and q are 
given prime factors of a public modulus, k is derived from k(p-l)(q-l) mod e=l, and e is 
a given public exponent. 

56. The cryptosystem private key recovery device of claim 55 further comprising a n 
calculator in active cooperation with said processor and configured to calculate n from 
n=pq. 

57. The cryptosystem private key recovery device of claim 56 further comprising a d 
calculator in active cooperation with said processor and configured to calculate d from 
d=[ 1 +(p- 1 )(q- 1 )]t mod 2 2b ? wherein te mod 2 2b =l and b is an integer such that p is less 
than 2 b and q is less than 2 b . 

58. The cryptosystem private key recovery device of claim 57 further comprising a 
private key parameter assembler for assembling the private key parameters {n, d} from 
said stored and calculated values. 

59. The cryptosystem private key recovery device of claim 56 further comprising a d 
calculator in active cooperation with said processor and configured to calculate d from 
d=[l+(p-l)(q-l)]/e. 
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60. The cryptosystem private key recovery device of claim 59 further comprising a 
private key parameter assembler for assembling the private key parameters {n, d} from 
said stored and calculated values. 

61. The cryptosystem private key recovery device of claim 57 further comprising: 
a dp calculator in active cooperation with said processor and configured to 

calculate dp from dp=d mod (p-1); and 

a d q calculator in active cooperation with said processor and configured to 
calculate d q from d q =d mod (q-1). 

62. The cryptosystem private key recovery device of claim 61 further comprising a v 
calculator in active cooperation with said processor and configured to calculate v from pv 
mod q=l. 

63. The cryptosystem private key recovery device of claim 62 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,d q , 
v} from said stored and calculated values. 

64. The cryptosystem private key recovery device of claim 59 further comprising: 
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a dp calculator in active cooperation with said processor and configured to 
calculate dp from dp=d mod (p-1); and 

a d q calculator in active cooperation with said processor and configured to 
calculate d q from d q =d mod (q-1). 

65. The cryptosystem private key recovery device of claim 64 further comprising a v 
calculator in active cooperation with said processor and configured to calculate v from pv 
mod q=l. 

66. The cryptosystem private key recovery device of claim 65 further comprising a 
private key parameter assembler for assembling the private key parameters {p ,q ,dp ,d q , 
v} from said stored and calculated values. 

67. A method for recovering a private key, comprising in combination: 
storing private key parameters in a memory space; 

utilizing less storage space for said private key parameters than the full parameter 
set {p,q ,dp ,d q , v};and 

providing better computational efficiency than the minimal parameter set {p, q}. 

68. A method for recovering a private key, comprising in combination: 
storing private key parameters in a memory space; 
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utilizing less storage space for said private key parameters than the full parameter 
set {n, d}; and 

providing better computational efficiency than the minimal parameter set {p, q}. 
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ABSTRACT 

Disclosed herein is a system and method for storage and recovery of a private key 
in a cryptographic system by providing a parameterization of the private key that uses 
less storage space than the full CRT parameter set {p ,q ,dp ,d q , v} and that provides 
better computational efficiency than the minimal parameter set {p, q}. Also disclosed is a 
system and method for storage and recovery of a private key in a cryptographic system 
by providing a parameterization of the private key that uses less storage space than the 
full non-CRT parameter set {n, d} and that provides better computational efficiency than 
the minimal parameter set {p, q}. Furthermore, disclosed herein is a means for computing 
the parameters dp, d q ,and d in a manner such that the computational sequence is 
independent of the values of the prime factors p and q, thereby reducing vulnerability to 
attacks that exploit such dependence. 
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